Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
capricorn80
New Contributor II

Fortigate 100E: Correct way to use Management Interface

Hi!

 

I have posted static route issue in my another post but after reading few posts it looks like I need to have mgmt vdom for correct mgmt interface working but asking this here.

 

I have a dedicated mgmt interface but I cannot access it from my normal VLAN. I can access it via my laptop in the mangament subnet. As I am putting my firewall in production then I need to know the right steps to configure on it so that I can access the managment interface from the normal vlan.

 

Can any provide the right way to do it?

 

Thanks 

 

 

3 REPLIES 3
Nicholas_Doropoulos
Contributor

Hi,

 

The first thing I would do is to check the status of the management interface and see if it has been configured correctly in terms of the management protocols that need to be enabled along with its associated IP address, subnet mask etc. This can be checked under Network >> Interfaces on the GUI.

 

Then, I would check that there are no trusted hosts configured. 

 

Failing that, just for testing purposes, I would enable Local Traffic Log under Log & Report >> Log Settings. The local traffic log includes management traffic and it will provide you with more information during the testing process.

 

Next, I would proceed to running a sniffer. On the CLI, run the following command:

 

diag sniffer packet [management-interface-goes-here] 'host [ip adddress that you test from goes here]' 6

 

Moreover, under Network >> Packet Capture, you can set a filter to capture the interesting traffic which you can then analyse on Wireshark.

 

For deeper troubleshooting, you can also run a debug by following the instructions below:

 

diag debug disable

diag debug flow trace stop

diag debug flow filter clear

diag debug reset

diag debug flow filter addr [ip address you test from goes here]

diagnose debug flow show console enable diagnose debug flow show function-name enable diagnose debug console timestamp enable

diag debug flow trace start 100

diag debug enable

 

Once you have collected the output of the above ensure that debugging is disabled:

 

diag debug disable

diag debug flow trace stop

diag debug flow filter clear

diag debug reset

 

Provided that local traffic logging was enabled at the very start, you should also be able to see more information on the resulting log.

 

Feel free to post the outputs of all of the above here along with a diagram of your topology as well if possible so we can assist you further.

 

 

NSE5, CCSE, CCNA R&S, CompTIA A+, CompTIA Network+, CompTIA Security+, MTA Security, ITIL v3

NSE5, CCSE, CCNA R&S, CompTIA A+, CompTIA Network+, CompTIA Security+, MTA Security, ITIL v3
capricorn80

I will check that but I did diag and I can see echo request and ssh Sync coming to firewall but FW not sending ACK or echo reply.

capricorn80

I think this will only work if you create another Vdom and assign management interface in that vdom.

Labels
Top Kudoed Authors